BF: anchor apache- filters. Close #248

See https://vndh.net/note:fail2ban-089-denial-service for more information

config/filter.d/apache-auth.conf

@@ -4,6 +4,12 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -13,9 +19,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] user .* authentication failure
-            [[]client <HOST>[]] user .* not found
-            [[]client <HOST>[]] user .* password mismatch
+failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/filter.d/apache-common.conf

@@ -0,0 +1,17 @@
+# Generic configuration items (to be used as interpolations) in other
+# apache filters
+#
+# Author: Yaroslav Halchenko
+#
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+
+[DEFAULT]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]

config/filter.d/apache-nohome.conf

@@ -4,6 +4,12 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -13,7 +19,7 @@
 #          per-domain log files.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] File does not exist: .*/~.*
+failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/filter.d/apache-noscript.conf

@@ -4,6 +4,12 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -13,8 +19,8 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
-            [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
+failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
+            ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/filter.d/apache-overflows.conf

@@ -4,13 +4,19 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
 # Notes.:  Regexp to catch Apache overflow attempts.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
+failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

testcases/files/logs/apache-auth

@@ -0,0 +1,5 @@
+# Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service
+[Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
+
+# should match
+[Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found

testcases/files/logs/apache-noscript

@@ -0,0 +1 @@
+[Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat